blustealer | be7f48bc769105639774263b5a730b3960eac5fac8ba019d19a06aca81ebb946

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 02:32

Target

535deefc0c2866703f5a24782aa5b090.exe
Size

882KB
MD5

535deefc0c2866703f5a24782aa5b090
SHA1

1065b8088c3c0a21a7b45c32b1f3b27705e17d40
SHA256

be7f48bc769105639774263b5a730b3960eac5fac8ba019d19a06aca81ebb946
SHA512

f36fac63b6ee1080eb88daf0ad3ffee9a1bb3a1b4afa02e96455b3dbd2aa8fbf7eb32055e477043a7a0363ec14ac3b43ea40260ed91afbff456894680670b5ac
SSDEEP

12288:QUBDMmZriMmjwc+/aOU2xglqHo9a6NWPXjPb9jgTBvY9GhOEGUAV38I:IyrY565glqI46NWPjqBvzOcAm

Score

10^/10

Family

blustealer

Credentials

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3356 set thread context of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3340	535deefc0c2866703f5a24782aa5b090.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96
PID 3356 wrote to memory of 3340	3356	535deefc0c2866703f5a24782aa5b090.exe	96

C:\Users\Admin\AppData\Local\Temp\535deefc0c2866703f5a24782aa5b090.exe
"C:\Users\Admin\AppData\Local\Temp\535deefc0c2866703f5a24782aa5b090.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\535deefc0c2866703f5a24782aa5b090.exe
  "C:\Users\Admin\AppData\Local\Temp\535deefc0c2866703f5a24782aa5b090.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3340

memory/3340-15-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3340-19-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3340-12-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3356-4-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3356-0-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/3356-5-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/3356-7-0x0000000006190000-0x000000000622C000-memory.dmp

Filesize
624KB

Download
memory/3356-6-0x00000000054C0000-0x00000000054DC000-memory.dmp

Filesize
112KB

Download
memory/3356-8-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/3356-9-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3356-10-0x0000000006770000-0x0000000006804000-memory.dmp

Filesize
592KB

Download
memory/3356-11-0x0000000008D40000-0x0000000008D9E000-memory.dmp

Filesize
376KB

Download
memory/3356-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/3356-3-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/3356-17-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/3356-1-0x0000000000440000-0x0000000000522000-memory.dmp

Filesize
904KB

Download